CFPB Finalizes Rule Permitting Financial Institutions to Post Privacy Notices Online

By: Kristie D. Kully, David A. Tallman, Jeremy M. McLaughlin

Last week, the CFPB last week finalized its rule permitting certain financial institutions to post their annual privacy notices online, claiming it will benefit consumers and financial institutions alike. The rule became effective on October 28, 2014, and applies to banks and non-banks within the CFPB’s jurisdiction.

Under the Gramm-Leach-Bliley Act (“GLBA”) and Regulation P, a financial institution must send initial and annual privacy notices to its customers explaining whether and how it shares customers’ nonpublic personal information. If the financial institution wishes to share nonpublic personal information with an unaffiliated third party outside of an applicable exception, it must also notify customers of their right to opt out of the sharing and provide instructions on how they do so.

The new rule provides institutions with an alternate way to comply with the GLBA’s privacy notice requirements. It permits a financial institution to post its privacy policy online in certain circumstances, rather than distributing an annual paper copy. However, the institution still must notify its customers annually through regular communications (like a monthly statement) that the privacy policy is available online, and in hard copy by request.

The catch? A financial institution can rely on this online posting method to satisfy its annual privacy notice delivery requirements only if the following criteria are met:

  • The financial institution does not share customers’ nonpublic personal information with nonaffiliated third parties in a manner that triggers GLBA’s opt out rights
  • The privacy notice does not include a Fair Credit Reporting Act (“FCRA”) affiliate-sharing opt-out (FCRA requires a person other than a consumer reporting agency (“CRA”) to provide a consumer with a reasonable opportunity to opt out prior to sharing that consumer’s personal information with an affiliate in a manner that otherwise would cause the person to be a CRA)
  • The FCRA affiliate marketing opt-out requirements have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements (FCRA and its implementing regulations also require a person to provide a consumer with a reasonable opportunity to opt out before it may use certain “eligibility information” received from a non-CRA affiliate to solicit the consumer)
  • The information in the privacy notice has not changed since the customers’ last receipt the institution’s privacy notice
  •  The financial institution uses the model disclosure form developed by federal regulatory agencies in 2009

The CFPB believes its new rule will promote consumer education by making privacy policies continuously available online and by requiring the use of the model form. The CFPB also projects the rule could reduce costs for the industry by approximately $17 million and lead to reduced sharing of consumer data. Notably, however, the restrictive set of criteria may severely limit the practical utility of the final rule even for those institutions that do not need to provide consumer opt outs. Few companies use the model notice in exactly the form that is set forth in Regulation P; even an insignificant departure from the model form in respect to either format or content could render an institution ineligible to deliver its annual privacy notice online.

 

Leave a Reply

Copyright © 2019, K&L Gates LLP. All Rights Reserved.